OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Stuart Sheldon (stuactusa.net)
Date: Wed Feb 13 2002 - 17:54:17 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Yes, we are seeing the same thing over here... It appears to be most
    effective when the attack is pointed at a subnet with a shared web
    server with many IP's bound to the same interface. This also could be an
    attempt to use these system's as a reflector to flood a particular IP
    address out on the web...

    Stu Sheldon

    "NESTING, DAVID M (SBCSI)" wrote:
    >
    > In the last few days I've been seeing what *looks* like a SYN flood attack
    > on port 80 across all IP addresses on my network. However, if it's a flood,
    > it's not a very strong one. Modest hardware is able to keep up with the
    > incoming packets without a problem, but the steady flow of SYN packets is
    > still a steady flow. (On a given system, the number of connections in a
    > SYN_RECVD-ish state numbers 50-100.) The source IP addresses stay constant
    > for a minute or two and then cease, sometimes as another IP address starts
    > sending its own stream of SYN packets, though occasionally more than one
    > host will be sending traffic at a time. Source addresses are in a variety
    > of networks, but seem to be consistently dialup or similar type connections.
    >
    > It "feels" like an attempt at a denial-of-service attack, but why spread it
    > out over so many destination IP addresses (many of which have no Internet
    > presence), and why would the flood be so weak as not to actually affect
    > anything?
    >
    > Could this be an IDS allowing spoofed IP addresses through while stripping
    > out a "dangerous" payload that might come along with the first ACK response?
    > Or maybe a form of scan where the volume of response carries information
    > they want? Has anyone seen something similar?
    >
    > David
    >
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com 

    -- 
In a five year period we can get one superb programming language.  Only
we can't control when the five year period will begin.

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com